Q&A: Working With Companies To Secure Data

Director of North America Midmarket Sales, Jeff Multz, talks about how Dell SecureWorks works with companies to secure data.

What are the biggest threats to data security for companies right now?

The biggest threat is organizations themselves because they aren’t doing enough to protect themselves. They often think they’re secure, yet they’re not really secure. Public and private organizations need multiple layers of security. Not only do they need security around their network, they also need separate layers of security around their most valuable servers and databases.

In addition to layers of security, they need 24x7x365 human monitoring. And not enough organizations have that. Threat factors are after you 24/7. They don’t stop when you’re sleeping. When companies aren’t watching their networks, hackers can enter sight unseen, and leave malware behind. What’s really tough is that these threat factors hide the malware, making it difficult for an IT specialist to find it at a later date when a problem has occurred and someone goes searching for the malware.

Another issue companies have is that they often aren’t compliant with their industry’s IT regulations (PCI DSS, FFIEC, NERC CIP, etc.) although they think they are. Of those companies that are compliant, a lot of them think that just because they ARE compliant, that means they’re secure. They think: I’m compliant, therefore I’m secure. That’s not necessarily true. What is true is this: When a company does all it can to become secure, compliance easily falls into place. Industries create regulations and minimum standards that organizations need to be “compliant.” What people ought to focus on is security. Our Qualified Security Assessors will work with a company to help ensure its security while helping it become compliant.

Companies are often caught in the crosshairs of Advanced Persistent Threats (APT) adjacencies. APTs are known for hitting countries and businesses. Sometimes attackers attack businesses for monetary reasons, and sometimes they attack in order to harm governments. We’ve seen attackers hit the lowest lying fruit, weak small companies that do business with large companies, which work with or supply the government. These are what we call “adjacencies.”

a) The other threat I see is what I call “stupid people tricks.” Attackers count on people at organizations being gullible. Office personnel of all ranks, usually with good intentions, click on the links that are sent to them in emails or click on links on Web pages, which unbeknownst to them will download malware.

b) One of the biggest threats is companies that don’t have an Intrusion Prevention/Detection System (IDS/IPS). The IDS/IPS is separate from the firewall itself. The firewall filters and blocks certain addresses and ports, but an IDS/IPS looks at the traffic in closer details and can detect traffic in greater detail to prevent attacks that would slip past the firewall. For example, it could better detect violations of rules, protocols, packet designs and DDoS attempts.

What are some of the concerns of businesses in regards to data security?

The biggest concern we see is that organizations are concerned with attaining and maintaining compliance. Any organization that accepts credit cards must be compliant with the Payment Card Industry Data Security Standards (PCI DSS).

Companies also have the following concerns:

I. Liability Risk: Companies are concerned that if their customer information is captured by an attacker, the company could be liable. A company could also be liable if an attacker were to capture information on one of the company’s partners by getting it via the company’s network. Additional scenarios for liability include the following:

The cost to defend an organization’s name suspected of or having or actually having a data breach. If there has been a real breach, not only must an organization defend its name, it must send notification to those people and companies at risk of having their personal information exposed.

Companies are also concerned about becoming insurable for a cyber insurance policy, because many organizations that haven’t mitigated their risks sufficiently are denied cyber insurance coverage.

II. Direct Loss Risk: Companies are at risk of losing their customer database, personal customer information, trade secrets, as well as their own finances. A breach could allow attackers to steal money from the business and its customers.

III. Reputation Risk: A lot of companies are concerned about their reputation. They know if there is a breach they must report it and contact customers. That costs a company its reputation as well as the dollars needed to respond to customers and notify them of the attack. Even if there is an attack that only takes down the business’s website, as well as hurting the company’s reputation, the takedown could prevent the company from getting new business as potential customers search elsewhere for another company to take care of their needs.

What is the industry doing to address these concerns?

Unfortunately MOST of the industry is focused on throwing hardware/software solutions at the mix, whereas I don’t see that as the solution. Things like Customer Relationship Management (CRM) software or Enterprise Resource Planning (ERP) or Security Information Management (SIM) technology alone don’t fix the security problem. We need less shelf-ware and more professionals that know what they’re looking at with these tools.

Don’t get me wrong. Manufacturers should use products. They need firewalls, SIM technology, an IDS/IPS, logs, etc. But if people don’t know how to use these products the ways they were intended to be used, they become “shelfware” because they just sit on a shelf doing half a job at most. We at Dell SecureWorks have often gone into companies with lots of shelfware and found malware on their system. We come in and clean it up and find that it’s NOT the products companies use that aren’t working correctly. It’s the people who aren’t working the products correctly. The people in charge of the products don’t know how to regulate and maintain them, and they don’t have the man-hours to monitor their systems 24/7. They just don’t have the expertise to do any of that the right way. What is needed is people who have the expertise to deploy, maintain and manage these products. Companies need experienced professionals who will watch these technologies 24x7x365, make decisions on false-positives, react to and fix security-relevant issues that arise, and update the technologies when they issue false alarms. The problem companies have is that there are few experienced security professionals who have the expertise to know the difference between security events and noise, so these people tend to ignore a lot of important things.

What are some preventative steps companies can take to avoid data security incidents?

a) Educate your employees. Teach them about getting confirmation from a sender before opening attachments and photos. If they don’t know the sender personally, they should be suspicious when they receive links and attachments.

b) Implement intrusion prevention as a separate layer of protection from the firewall.

c) Employ professionals to conduct 24x7x365 log monitoring. Most companies keep logs of the activity on their network, but the logs are not continuously monitored as they should be. These logs spit out a record of all activity on a company’s network. These logs themselves are rather cryptic; they're merely a string of characters that need to be interpreted at a higher level. Once interpreted, individual logs might not always be something of great concern. For instance, a log might indicate that a single computer has remotely connected to a client's network. That on its own is not very interesting. However, if we aggregate multiple related logs together, we can see a bigger picture that shows us something more interesting. For instance, if multiple connections can be observed on multiple ports on a client's network, it could indicate that a possible reconnaissance is taking place. This interesting behavior can likely be described as an "alarm" or a "red-flag." It's not always the logs themselves that raise an "alarm." Extrapolation and higher-level interpretation of these logs can set off an "alarm."

What sort of communication should take place within an organization (between IT, management and other departments) to make sure data is being secured?

a) There should be a top-down approach. Management needs to set the tone and communicate with IT and different department managers. IT should implement policies and procedures that physically forbid people from doing certain activities.

b) Education should be ongoing both internally and externally with staff, customers and partners who access your network. They all should be made aware of dangerous activities such as clicking on links, opening attachments in emails, visiting websites known for hosting malware, and leaving passwords around their desks.

c) We are seeing more and more companies that require the CIO or CISO, who are often personally liable for data breaches, to report to the board of directors on all things regarding information security.

How can a company prepare its systems for the possibility of disaster (ie, security breach, system failure, natural disaster)?

a) Prepare for the worst and do everything you can to prevent it from occurring.

b) Use an experienced security professional to conduct regular vulnerability scans and pen testing.

c) Implement redundant/contingencies for systems, so if one server goes down in one place, you have a backup that will work. Think about what you would do if a server or many of your servers or your whole site were taken offline due to a virus/worm, other hacker activity or natural disaster. Plan for that happening and create remedies now.

d) Have a prepared Incident Response plan, rehearse it and update it annually.

f) Create a Disaster Recovery Plan and Business Continuity Plan. Review them annually and update them as needed.

How does Dell SecureWorks work with companies to secure data?

We offer four towers of security SERVICES. We sell no products and are vendor neutral to the technologies companies have or will employ in the future. Those four are the following:

I. Incident Response-to help people plan for and respond to an incident so companies can get back up as quickly as possible after a breach.

II. Threat intelligence services: subscription to information on future threats and advice on way you might remediate/prevent these.

III. Security and Risk Consulting to assess where your current state of security is (penetration testing, IT Audit, Risk assessment, Web app testing), provide Incident Response preparedness to help companies prepare a recovery plan and services to help companies get back up as quickly as possible after a breach.